Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Best practice removal of "Proxy Arp"

I wanted to remove the "proxy arp" off the outside and DMZs.. would this create issues?

3 REPLIES
Hall of Fame Super Blue

Re: Best practice removal of "Proxy Arp"

It depends on whether or not you have "static" statements in your config. ie.

static (inside,outside) 217.22.12.66 192.168.5.1 netmask 255.255.255.255

this tells the ASA that any traffic received on the outside interface for 217.22.12.66 should be translated to 192.168.5.1 and forwarded to the inside. If you disable proxy-arp on the outside interface then the above would stop working because the ASA can no longer respond for arp's to the public IP address.

Jon

New Member

Re: Best practice removal of "Proxy Arp"

ok... so since I'm using static commands I shouldnt have any issue with the outside "proxy arp removal".?

Hall of Fame Super Blue

Re: Best practice removal of "Proxy Arp"

Apologies if i didn't explain correctly. If you have any static commands that reference either the outside or dmz interfaces then there will be an issue removing. You can only remove it where the firewall does not have to respond to an arp for that IP address. The interfaces you are concerned with are the second one in the static command ie.

static (inside,outside) ....

removing proxy-arp on the outside would cause problem

static (outside,inside) ....

wouldn't cause a problem removing proxy-arp on outside

Usually the outside interface is the one where you need proxy-arp.

Jon

503
Views
0
Helpful
3
Replies